• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on site to site VPN between ISA 2000 and the ISA firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on site to site VPN between ISA 2000 and the ISA firewall Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on site to site VPN between IS... - 8.Oct.2004 5:56:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on how to create a site to site VPN between ISA Server 2000 and the ISA firewall at http://isaserver.org/articles/2004s2s2000.html

Thanks!
Tom

[ October 08, 2004, 06:05 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on site to site VPN betwee... - 8.Oct.2004 9:23:00 AM   
davpok

 

Posts: 3
Joined: 1.Aug.2004
Status: offline
Hello Thomas, Hello everybody,
I have problem with the same scenario.
I am using W2K3 with last patches.
Two years I am using configuration with ISA2000s, but I would like to upgrade one of my branches to the ISA2004. I simulated my scenario in the lab and I have troubles with it:

I have ISA2000 and ISA2004 and I want to use VPN site-to-site connection.
I use static pools on the both ISA servers for assign IP address for VPN communication.
I am using L2TP for VPN with pre-shared key. The tunnel is working fine, but I have problem that my ISA2004 still report in log that I have undefined traffic - "Internal Denied 0xc0040014 - Unidentified IP Traffic" and ISA 2004 still logs in to EventLog ID 14147 "ISA Server detected routes through adapter "194.213.203.50" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.6.255-192.168.6.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message."

where 192.168.6.1 - 192.168.6.254 is static pool for VPN on the ISA2000. On the ISA2004 I used static pool for VPN 192.168.5.1 - 192.168.5.254. I checked your Article and my configuration, it is same.

what I discovered:

when I run ping from PC1, ISA2004 is dial-up L2TP tunnel and connected with ISA2000 successful. When I look at PC2 network properties I can view that network card receive some packets. Client PC2 send the ping response to PC1 and because source IP address is out of range, PC2 send it to the gateway-ISA2000. ISA2000 take the packet and use dial-up interface and created L2TP tunnel ISA2000 to ISA2004 - tunnel is connected successful - and there is end and I do not know why the packet does not reach the destination PC1.

When you help me I will be lucky.
Thanks
David
MSCE W2Kx

(in reply to tshinder)
Post #: 2
RE: Discussion about article on site to site VPN betwee... - 8.Oct.2004 11:14:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi David,

How does your setup deviate from that discussed in the article?

That is how you will come to the answer to your problem.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on site to site VPN betwee... - 8.Oct.2004 2:45:00 PM   
davpok

 

Posts: 3
Joined: 1.Aug.2004
Status: offline
Hi Tom,

I used exactly same configuration what you describe in your article and I did exactly all steps what you described. But only there are three changes: I used L2TP, not PPTP, I used static pools on both sides and I used different IP adresses, but I think that end result is same. if you think that I must change these three different change, I do it.

I am working to resolve this problem already two weeks and I think that I tried all configurations.

Thanks for your help.
David

(in reply to tshinder)
Post #: 4
RE: Discussion about article on site to site VPN betwee... - 8.Oct.2004 3:01:00 PM   
fsaifie

 

Posts: 48
Joined: 23.Jul.2004
Status: offline
Dear Tom,

This Vpn Configuration works for me but the problem i am facing are the Internet access...Branch office ISA Server 2000 clients cannot browse the Internet any more..Branch Office ISA 2000 is using Main Office ISA 2004 as an upstream Server...so web chaining is involved in this scenario...

when the main office ISA Server was 2000, it was working perfectly fine ..but as soon as we upgrade , we dont have a problem with VPN but the problem is with Web Chaining...

I even reinstall the main office ISA 2004 and reconfigured everything but resutl is the same...VPN works fine and LAN access is great but no Internet for branch office users...web chaining is not working with branch office ISA server 2000 and Main office ISA Server 2004...

(in reply to tshinder)
Post #: 5
RE: Discussion about article on site to site VPN betwee... - 10.Oct.2004 6:47:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Faisal S:
Dear Tom,

This Vpn Configuration works for me but the problem i am facing are the Internet access...Branch office ISA Server 2000 clients cannot browse the Internet any more..Branch Office ISA 2000 is using Main Office ISA 2004 as an upstream Server...so web chaining is involved in this scenario...

when the main office ISA Server was 2000, it was working perfectly fine ..but as soon as we upgrade , we dont have a problem with VPN but the problem is with Web Chaining...

I even reinstall the main office ISA 2004 and reconfigured everything but resutl is the same...VPN works fine and LAN access is great but no Internet for branch office users...web chaining is not working with branch office ISA server 2000 and Main office ISA Server 2004...

Hi Faisal,

Just to confirm what we discussed in another thread, the Web Proxy chaining config does not work when you chain to the machine with which you have the site to site link. However, you can chain to another machine on the network [Frown]

HTH,
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion about article on site to site VPN betwee... - 10.Oct.2004 6:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by David Pokorny:
Hi Tom,

I used exactly same configuration what you describe in your article and I did exactly all steps what you described. But only there are three changes: I used L2TP, not PPTP, I used static pools on both sides and I used different IP adresses, but I think that end result is same. if you think that I must change these three different change, I do it.

I am working to resolve this problem already two weeks and I think that I tried all configurations.

Thanks for your help.
David

Hi David,

There were some typos in the table with the first version of the article. Check it out now and see how that works.

Also, try PPTP only first, then test with L2TP/IPSec. I'll test with L2TP/IPSec later, but it should not matter.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about article on site to site VPN betwee... - 12.Oct.2004 3:48:00 PM   
davpok

 

Posts: 3
Joined: 1.Aug.2004
Status: offline
Hi Tom,

Hi Wallace,

I have good news for you- my problem is resolved. I resolve this problem.
I reinstalled all my servers and try to setup up as it is described on the
isaserver.org.

Only one thing was different - DNS!

But I have, some maybe problems on the ISA2004. When I want to change user
account for VPN on the ISA2004 side, I must re-create all VPN site-to-site
so that I want to use other user account. ???

O.K., I am happy and I will go to next steps

Thanks for your helping hand.

have a good time

Bye
David

(in reply to tshinder)
Post #: 8
RE: Discussion about article on site to site VPN betwee... - 15.Oct.2004 10:33:00 PM   
CurtisGF

 

Posts: 30
Joined: 12.Feb.2003
From: Virginia
Status: offline
quote:
--------------------------------------------------------------------------------
Originally posted by Faisal S:
Dear Tom,

This Vpn Configuration works for me but the problem i am facing are the Internet access...Branch office ISA Server 2000 clients cannot browse the Internet any more..Branch Office ISA 2000 is using Main Office ISA 2004 as an upstream Server...so web chaining is involved in this scenario...

when the main office ISA Server was 2000, it was working perfectly fine ..but as soon as we upgrade , we dont have a problem with VPN but the problem is with Web Chaining...

I even reinstall the main office ISA 2004 and reconfigured everything but resutl is the same...VPN works fine and LAN access is great but no Internet for branch office users...web chaining is not working with branch office ISA server 2000 and Main office ISA Server 2004...
--------------------------------------------------------------------------------

quote:
--------------------------------------------------------------------------------

Hi Faisal,

Just to confirm what we discussed in another thread, the Web Proxy chaining config does not work when you chain to the machine with which you have the site to site link. However, you can chain to another machine on the network

-------------------------------------------------
So without chaining, is there another way around this problem? Is there a specific machine to chain to?

Thanks.

(in reply to tshinder)
Post #: 9
RE: Discussion about article on site to site VPN betwee... - 5.Jan.2005 12:20:00 PM   
heliocs

 

Posts: 1
Joined: 5.Jan.2005
From: Brazil
Status: offline
I did exactly the procedure discribed in the article, but I still couldn't communicate betweek 2 networks in a PPTP VPN over the internet. My scneario is like this: 2 networks located in diferent locations, both using ISA 2004, and both have an Active Directory (same domain).

Anyone could help me, or anyone have made any site-to-site VPN between two ISAs 2004?

(in reply to tshinder)
Post #: 10
RE: Discussion about article on site to site VPN betwee... - 13.Jan.2005 6:48:00 PM   
d_w_scott

 

Posts: 12
Joined: 18.May2001
From: Memphis, TN, US
Status: offline
Thomas,

Trouble with this set up. Here's what I'm really confused about:

Local net - 192.168.2.0/24, ISA 2004, W2K3

Remote net - 192.168.42.0/42, ISA 2000, W2K

Site to site worked well when both were at ISA2K

I made as many changes to my REMOTE config as possible using the steps outlined in your article. One thing I did in particular is change the address range available to VPN clients from DHCP to a static address pool (I chose 192.168.3.0/24). However, when I do this, the LOCAL connection throws this error:
-----------------------------
ISA Server detected routes through adapter "Nashville" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.3.1-192.168.3.1;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.
-----------------------------
("Nashville" is the connection name the Local net uses to connect to our Remote net)

Also, when I'm configured this way, the Remote net won't connect at all, and the Local net connects, then drops the connection. If I change my settings back to DHCP, the local net connects fine, but the Remote net goes up and down.

Any suggestions?

(in reply to tshinder)
Post #: 11
RE: Discussion about article on site to site VPN betwee... - 21.Aug.2005 8:06:00 AM   
waxer

 

Posts: 2
Joined: 21.Aug.2005
From: Beverwijk, The netherlands
Status: offline
Tom,
The article sounds fixed and ready and should work. Although I do have some issues. Here's the situation.
I have one ISA2004 on Windows 2003 in the main office and one ISA2000 on Windows 2000 (which, unfortunately, is not "in the domain", the 2003 one is!)

May times I have tried the described config, but either the 2000 demand dail interface shows up in the main office as a client or the 2003/4 (main office) finds that the branch office is unreachable..
Are there any ways I can solve this? I mean, if I set up 2 demand dail interfaces, they should be able to connect, right? Apart from any ISA rules?

thanks in advance for the help. I just ordered your ISA2004 book on amazon, so I'm waiting for the big "chunk".

regards,

Michael

(in reply to tshinder)
Post #: 12
RE: Discussion about article on site to site VPN betwee... - 22.Aug.2005 9:46:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Michael,

The key is naming the demand dial interfaces on each side of the site to site VPN. If the demand dial interface doesn't match the name of the credentials presented by the calling VPN gateway, then it will show up as a remote access VPN connection, not a site to site VPN connection.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion about article on site to site VPN betwee... - 2.Sep.2005 12:54:00 PM   
waxer

 

Posts: 2
Joined: 21.Aug.2005
From: Beverwijk, The netherlands
Status: offline
Tom,
Thanks, that's news to me (hey, there's the force of the forum. In other words if I would set up a demand dial interface, keep the name of the "user" and the name of the demand dial interface exactly the same, right?

Thanks

Michael

(in reply to tshinder)
Post #: 14
RE: Discussion about article on site to site VPN betwee... - 23.Sep.2005 4:00:00 PM   
akozak

 

Posts: 1
Joined: 23.Sep.2005
Status: offline
We're upgrading from ISA 2000 to 2004.

What is the relationship between RRAS and ISA? When I imported my ISA 2000 configuration, it created demand dial interfaces/routes in RRAS and remote sites in ISA for the site-to-site connections I had already defined.

The installation of ISA 2004 set the RRAS service to manual start. I had to change that to automatic to establish site-site connections.

Now when I add a new remote site in ISA 2004 as per your example, nothing happens. I still have to add the connections in RRAS manually before there is any site-site communication.

Did I mess something?

Regards,

Al

(in reply to tshinder)
Post #: 15
RE: Discussion about article on site to site VPN betwee... - 30.Sep.2005 12:50:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
We have setup our site to site vpn as described in the article. Everything works as expected except a couple things. It seems that the vpn connection can only be initiated from the branch isa server. When you try to initiate the connection from the main isa (2004) server, we get Destination Unreachable. Also, we cannot seem to ping from the main network to the branch network. We can access shares and remote desktop into the branch network, so I know we can communicate. Ping just doesn't work.
Any ideas?

(in reply to tshinder)
Post #: 16
RE: Discussion about article on site to site VPN betwee... - 6.Oct.2005 2:05:00 AM   
Guest
Jack,
i have identical problem.
Does you fix it?

Nick

(in reply to tshinder)
  Post #: 17
RE: Discussion about article on site to site VPN betwee... - 6.Oct.2005 10:40:00 AM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
No, we have not fixed it yet. If anyone has any ideas, I would appreciate it. I will keep you posted if we come across a fix.

jack

(in reply to tshinder)
Post #: 18
RE: Discussion about article on site to site VPN betwee... - 14.Dec.2005 5:27:06 AM   
joedr

 

Posts: 5
Joined: 14.Dec.2005
Status: offline
Tom,

I have the same scenario but the remote ISA (ISA 2000) is a Domain Controller and is giving me the following error everytime I try to run the local ISA VPN Setup: "The wizard cannot create the VPN connection.  An action to allow dial-in permissions failed."

Any idea what will be the workaround?  I think that what is causing the problem is that since the server is also a DC; it is failing to create the local account at the end of the wizard.

Thanks for your help in advance!

-Joed

(in reply to tshinder)
Post #: 19
RE: Discussion about article on site to site VPN betwee... - 18.May2006 10:36:22 AM   
Adham

 

Posts: 4
Joined: 12.Apr.2005
From: Amman, Jordan
Status: offline
Hello Tom,

i have the site-site up and running smoothly, i also have two SQL servers waiting to be configured and replica's to each other, i can connect to them using the SQL connection, RDP, ping....

the problem am facing is that from any of the two servers i cant access the share level from either SQL server.
i can access the share level from any computer on the same network to the SQL located at the same site.

can you please help me with this problem?

thank you

(in reply to joedr)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on site to site VPN between ISA 2000 and the ISA firewall Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts